The Schedule-Access Gap

The full-length piece is being drafted and will appear here on publication. It argues that the dominant IAM stack — Okta, SailPoint, CyberArk, Microsoft Entra — cannot defensibly enforce HIPAA's minimum-necessary access principle for shift workers, because none of them are aware of when an employee is actually on shift.

The argument runs in three moves:

1. Time-based conditional access is not schedule-aware. Okta's 9-to-5 rules are calendar-based, not bound to verified shifts.
2. Standing access creates standing risk. 75% of insider security incidents (Ponemon 2024) are non-malicious — employees with access they no longer need.
3. The bridge has to be its own platform. No incumbent can ship schedule-aware policies without cannibalizing their core conditional-access licensing — making this a category-creation opportunity.